3 Review

ScreenOS Basics Review
4-1
Copyright 2005 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
Security Architecture Components

Juniper Networks Device
Policy Check
A -> C
VSYS
R.T.
Interfaces
Zones
R.T.
Policy
E1
E2
Zone A
E3
E4
E5
Zone B
E6
Zone C
E7
E8
Zone D
Virtual Router
Forwarding Table
Virtual Router 1
Virtual Router 2
Virtual System
Flow
SRC-IP
1.2.3.4
DST-IP Protoco
5.6.7.8 6l
SRCPort
1234
DSTPort
80
Session
SRC-IP
5.6.7.8
2008 Juniper Networks, Inc. All rights reserved.
DST-IP Protoc
1.2.3.4 ol
6
SRCPort
80
DSTPort
1234
Zone and Interface Assignments

A strict hierarchical
linkage exists between
zones and interfaces
Zone
Zones are assigned to a

virtual router
Interfaces are assigned
to a security zone
Only to one zone
Individual configuration
parameters are
assigned to interfaces
IP addresses
Management services
Others
Interface
IP
Virtual Router
Zone
Int.
Zone
VR
VR
Packet Flow Sequence Through Security

Zones
Initial Deployment Requirements

Interfaces
Zone assignment
IP address
Subnet mask
Routing table
entries
Static routes
Default route
Initial policy
Use any any any permit for

testing connectivity
Configuring Zones and Interfaces

Parameters
Zone
Trust/Untrust/DMZ or user defined
IP
IP address and subnet mask

Configuration
CLI
set interface int-name zone zone-name

set interface int-name ip x.x.x.x/mask
FW-> set interface e0/1 zone trust
FW-> set interface e0/1 ip 1.1.1.1/24
WebUI
Network > Interfaces > Edit
Static Route
Routing table entry of the upstream router
Name of the interface
IP address of the next-hop gateway
Configuration
CLI
set [vrouter vrouter name] route network/mask interface

name gateway ip
FW-> set route 0.0.0.0/0 interface e0/0 gateway 1.1.1.1
WebUI
Network > Routing > Destination > New
Policy
Create open policy for initial connectivity
Allows you to verify connectivity through the
device without any policy concerns
Configuration
CLI
set policy from zone to zone source-addr dest-addr service

action
FW-> set policy from trust to untrust any any any permit
WebUI
Policy > Policies
Initial Configuration Options

Best Practices
Secure management connections:
Disable Telnet and Webuse SSH and SSL
Configure Manage IP address on the interfaces
Set Permitted IP address to restrict management
access
Network services:
DNS
NTP
Management Services
If you do not specify a service in the CLI command,
all services are enabled
Configuration
CLI
set interface name manage [service]

FW-> set interface e0/1 manage ping
FW-> set interface e0/1 manage ssl
Enable all services:
FW-> set interface e0/1 manage
WebUI
10
Manage IP Address
Separate IP address specifically for
management
Configuration
CLI
set interface name manage-ip address

FW> set interface e0/1 manage-ip 10.1.1.1
WebUI
11
Permitted IP Addresses
Configuration
CLI
set admin manager-ip address [mask]

FW-> set admin manager-ip 1.1.7.250
FW-> set admin manager-ip 1.1.1.0 255.255.255.0
WebUI
Configuration > Admin > Permitted IPs
12
DNS Configuration
DNS 1
DNS 2
Schedule
Parameters
IP address of primary DNS server
IP address of secondary DNS
server
hh:dd to update resolved
addresses
Configuration
CLI
set
set
set
set
WebUI
Network > DNS
dns
dns
dns
dns
host
host
host
host
dns1 ip_address
dns2 ip_address
dns3 ip_address
schedule hh:mm
13
NTP Configuration
Parameters
Server
IP address of primary NTP server
Interval
Update time in seconds
Maximum
Adjustment
Largest time change in seconds
Configuration
CLI
set
set
set
set
WebUI
Configuration > Date & Time
ntp
ntp
ntp
ntp
server name
server src-interface name
interval seconds
max-adjustment seconds
14
Internal Management
Counters
Hardware
Flow
Policy
SCREEN
Logs
Event
Traffic
Self
Alarms
Device
Traffic
15
Interface CountersHardware
Group1-SSG1-> get counter statistics interface e0/0
Hardware counters for interface ethernet0/0:
in bytes
14774934 | out bytes
8482094
in packets
166106 | out packets
89112
in no buffer
0 | out no buffer
0
in overrun
0 | out underrun
0
in coll err
0 | out coll err
0
in misc err
0 | out misc err
0
in dma err
0 | out bs pak
0
in crc err
0 | out discard
0
in align err
0 | out defer
0
in short frame
0 | out heartbeat
0
Hardware 64-bit counters for interface ethernet0/0:
in bytes
in ucast
165276 | out ucast
in mcast
0 | out mcast
in bcast
0 | out bcast
|
|
|
|
|
|
|
|
|
|
early frame
late frame
re-xmt limit
drop vlan
out cs lost
0
0
0
0
0
8482094
89112
0
0
16
Interface CountersFlow
FW> get counter flow interface e0/0
Total flow counters for interface ethernet0/0:
in bytes
7966328
in packets
166106 | out packets
89112
in vlan
0 | out vlan
0
out permit
257080 | src route
0
ping of death
0 | no gate sess
0
in icmp
5 | no nat vector
0
in self
0 | no map
0
in un-auth
0 | no conn
0
in unk prot
0 | no dip
0
in vpn
35964 | no gate
0
in other
0 | no xmit vpnf
0
no mac
0 | no route
0
mac relearn
0 | no frag sess
0
slow mac
0 | no frag netpak
0
trmng queue
0 | no sa
0
trmng drop
0 | no sa policy
0
tiny frag
0 | sa inactive
0
syn frag
0 | sa policy deny
0
connections
0 | policy deny
0
misc prot
0 | auth deny
0
loopback drop
0 | big bkstr
0
mal url
0 | sessn thresh
0
null zone
0 | no nsp-tunnel
0
first pak frag
0 | unknown pak
0
multi-DIP drop
0 | app link down
0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tcp proxy
tear drop
in permit
no g-parent
address spoof
land attack
icmp flood
udp flood
winnuke
port scan
ip sweep
tcp out of seq
wrong intf
wrong slot
icmp broadcast
illegal pak
url block
encrypt fail
mp fail
auth fail
proc sess
invalid zone
IP cls failure
multiauth drop
0
0
3223478
0
0
0
0
0
0
0
0
0
0
0
0
8
0
0
0
0
0
0
0
0
17
Event Log
FW-> get event
Date
Time
Module Level Type Description
2006-08-26 11:04:45 system notif 00002 Admin User "netscreen" logged in for
Web(http) management (port 80) from
10.120.1.189:3043
2006-08-26 11:00:31 system warn 00515 Admin User netscreen has logged on via
console
2006-08-26 10:59:14 system info 00551 NSRD won't start because gateway has
configuration.
2006-08-26 10:59:14 system notif 00767 System was shut down at 2003-08-26 10:
2006-08-26 10:59:14 system notif 00767 System was shut down at 2003-08-26 10:
18
Filtering/Sorting/Saving the Event Log

FW-> get event ?
>
redirect output
|
match output
<return>
dst-ip
show event to destination IPs
end-date
stop date
end-time
stop time
exclude
exclude events containing this string
include
show events containing this string
level
events matching this severity level
module
events reported by module name
sort-by
show sorted event log
src-ip
show event from source IPs
start-date
start date
start-time
start time
type
events matching specified message type(s)
FW-> get event sort-by ?
date
show event log sorted by date
dst-ip
show event log sorted by dest ip
src-ip
show event log sorted by source ip
time
show event log sorted by time
FW-> get event level emergency > tftp 1.1.7.250 EmergEvent0702.txt
19
Log Entry Severity Levels

Security Manager
Severity
ScreenOS Software
Severity
Critical
Emergency
Alert
Major
Critical
Minor
Error
Warning
Warning
Info
Notification
Information
20
Log Settings
Configuration > Report Settings > Log Settings

set log module system level name destination name
21
22
Setting Alarm Thresholds

System alarms
Configuration
CLI
set alarm threshold cpu percent

set alarm threshold memory percent
set alarm threshold session [count number | percent
percent]
23
External Management Devices

Several common services operate in
conjunction with the Juniper Networks
device:
DNS
NTP
Syslog
SNMP
Security Manager
WebTrends
24
DNS Configuration
DNS 1
DNS 2
Schedule
Parameters
IP address of primary DNS server
IP address of secondary DNS
server
hh:dd to update resolved
addresses
Configuration
CLI
set
set
set
set
WebUI
Security
Manager
Network > DNS > Host

Edit Device > Network > DNS
dns
dns
dns
dns
host
host
host
host
dns1 ip_address
dns2 ip_address
dns3 ip_address
schedule hh:mm
25
NTP Configuration
Parameters
Server
IP address of primary NTP server
Interval
Update time in seconds
Maximum Largest time change in seconds

Adjustmen
t
Configuration
CLI
set
set
set
set
WebUI
Configuration > Date & Time
Security
Manager
Edit Device > Configuration > Date

& Time
ntp
ntp
ntp
ntp
server name
server src-interface name
interval minutes
max-adjustment seconds
26
SNMP Parameters
Parameters
Contact
Name of contact
Location
Name of location
Port
Listen or trap port number
Community Name
Name of the SNMP

community
Community Version
Version of the SNMP

community
Community Host
IP address
Community Host Trap
IP address
27
SNMP Configuration
Configuration
CLI
set
set
set
set
set
set
set
WebUI
Configuration > Report Settings >

SNMP
Configuration > Report Settings >
SNMP > New Community
Security
Manager
Edit Device > Report Settings >

SNMP
Edit Device > Report Settings >
SNMP > New Community
snmp
snmp
snmp
snmp
snmp
snmp
snmp
contact name
location name
port [listen | trap] port
community name [trap-on | trap-off]
community name version [v1 | v2c]
host community-name ip_address src-interface name
host community-name ip_address trap version
28
SNMP ConfigurationWebUI (1 of 2)
Configuration > Report Settings > SNMP
29
SNMP ConfigurationWebUI (2 of 2)
Configuration > Report Settings > SNMP > Community

30
Syslog Configuration
Parameters
config ipaddress and
facility
IP address and facility
config log
All | Traffic | Event
src-interface Interface IP address used for the source of logging

messages
enable
Enable syslog messages
Configuration
CLI
set
set
set
set
WebUI
Configuration > Report Settings > Syslog
Security
Manager
Device Edit > Report Settings > Syslog
syslog
syslog
syslog
syslog
config ip_address facility facility

config ip address log [all | traffic | event]
src-interface name
enable
31
Managing License Keys

ScreenOS keys
Keys needed for the following features:
Capacity expansion (extended and advanced releases)

Antivirus
URL filtering
Deep Inspection
Installing keys
Automaticregister device at Juniper Networks Web site,
then download licenses
FW> exec license-key update
32
File Management
Store and retrieve critical files used by the
Juniper Networks device
ScreenOS image
Configuration files
File locations:
On-board flash memory

TFTP server
Management station (WebUI only)
USB (SSG 5 and SSG 20)
Compact flash
PCMCIA
33
Saving Your Configuration

Saving in the three interfaces:
CLI:
Manual commandFW> save
Writes to on-board flash configuration file
WebUI:
Saves automatically when you click Apply or OK
Console displays save messages
Security Manager:
Saves to Security Manager database
Policies and VPNs must be saved manually
Configuration not automatically loaded on device
34
Configuration File ManagementCLI

Only available to root administrator
Configuration backup:
save config from flash to [tftp address | pcmcia | slot1] filename
FW-> save config from flash to tftp 1.1.7.250 15Jun06.cfg
Restoring configuration
Option 1: copies file into flashavailable at next reboot
save config from [tftp address | pcmcia | slot1] filename to flash
FW-> save config from tftp 1.1.7.250 15June06.cfg to flash
Option 2: merges file into RAMBE CAREFUL!

save config from [tftp address | pcmcia | slot1] filename merge
FW-> save config from tftp 1.1.7.250 15June06.cfg merge
35
Configuration File ManagementWebUI
WebUI: Configuration > Update > Config File

36
Configuration Rollback
Provides safety net for failed or corrupted
configurations
If default configuration in flash memory cannot be
loaded, the system tries to load last known good
file
Can manually force system to correct
configuration mistakes
FW-> save config to last-known-good
Rollback
commands:
FW-> exec config rollback enable
**Make any CLI changes**
FW-> reset
**Make sure device is working**
FW-> exec config rollback disable
37
Software Image Management

Image backup:
save software from flash to [tftp address | pcmcia | slot1] filename
FW-> save software from flash to tftp 1.1.7.250 FWimage.bin
Image importing (upgrade):

save software from [tftp address | pcmcia | slot1] filename to flash
FW-> save software from tftp 1.1.7.250 newimage to flash
38
Upgrade ExampleCLI
FW-> save software from tftp 1.1.7.250 newimage.bin to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 3304662
tftp success!
TFTP Succeeded
Save to flash. It may take a few minutes ... update new flash image (02c86db0,33
04662)
platform = 17, cpu = 10, version = 16
offset = 20, address = 900000, size = 3304584
date = 0, time = 0, cksum = 28e9f31c
Program flash (0,3304662) ...
++++++++++++++++++++++++++++++++++++++++++++++++++done
Done
FW-> reset
39
Upgrade ExampleWebUI
Configuration > Update > ScreenOS/Keys
40
Disaster Recovery
Juniper Networks devices support features to
deal with electronic disasters including:
Corrupted ScreenOS image in flash memory
Lost root password
Procedure to reset to factory defaults
41
Recovering the ScreenOS Image

Boot Mode (1 of 2)
Juniper Networks ISG Series BootROM V1.1.0 (Checksum: 90554656)
Copyright (c) 1997-2006 Juniper Networks, Inc.
Total physical memory: 2048MB
Test - Pass
Initialization................ Done
<output omitted>
Juniper Networks ISG 1000 OS Loader Version 1.0.1
Initialize FBTL 0.. Done
Hit any key to load new firmware
Serial Number [0133072006000291]: READ ONLY TFTP server must be
HW Version Number [1010]: READ ONLY
Self MAC Address [0010-dbc0-a580]: READ ONLY connected to:
Boot File Name [screenos_image]: isg1000.6.0r1.0
Same subnet as device
Self IP Address [192.168.1.1]: 10.1.75.1
Interface depends on
TFTP IP Address [192.168.1.248]: 10.1.75.250
device
Save loader config (56 bytes)... Done
Connect to default
management interface
42
Recovering the ScreenOS Image

Boot Mode (2 of 2)
Loading file " isg1000.6.0.0r1.0 "...
r!r.tatatatatatatatatatatatatatatatat
Loaded Successfully! (size = 3,444,522 bytes)
Ignore image authentication!
Save to on-board flash disk? (y/[n]/m) Yes!
Saving as default system image in flash disk...
Done! (size = 3,444,522 bytes)
Run downloaded system image? ([y]/n) Yes!
Start loading...
.................................................................
.......................................................
Done.
Juniper Networks, Inc
ISG-1000 System Software
Copyright, 1997-2007
Version 6.0.0r1.0
Load Manufacture Information ... Done
Initialize FBTL 0.... Done
2008 Juniper Networks,
Load
Inc. All NVRAM
rights reserved.
Information ... (5.4.0)Done
43
Lost Root Password

Two methods of system recovery:
1. Log in to console with device serial number as
username and password
Warning messages regarding destructive results will appear
2. Use pinhole on exterior of system

Press until flashing light changes to orange
Release and count 3 seconds, and press again until flashing red
At this time the device flashes all the LEDs and then reboots
itself
Note: Passwords CANNOT be recovered

System must be restored to factory defaults
Also called asset recovery
Erases all configuration parameters
44

3 Review

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

3 Review

Caricato da

Copyright:

Formati disponibili

ScreenOS Basics Review

Proprietary and Confidential

Security Architecture Components

2008 Juniper Networks, Inc. All rights reserved.

Zone and Interface Assignments

Zones are assigned to a

2008 Juniper Networks, Inc. All rights reserved.

Packet Flow Sequence Through Security

2008 Juniper Networks, Inc. All rights reserved.

Initial Deployment Requirements

Use any any any permit for

2008 Juniper Networks, Inc. All rights reserved.

Configuring Zones and Interfaces

Trust/Untrust/DMZ or user defined

IP address and subnet mask

set interface int-name zone zone-name

2008 Juniper Networks, Inc. All rights reserved.

Network > Interfaces > Edit

set [vrouter vrouter name] route network/mask interface

Network > Routing > Destination > New

2008 Juniper Networks, Inc. All rights reserved.

set policy from zone to zone source-addr dest-addr service

Policy > Policies

2008 Juniper Networks, Inc. All rights reserved.

Initial Configuration Options

2008 Juniper Networks, Inc. All rights reserved.

set interface name manage [service]

2008 Juniper Networks, Inc. All rights reserved.

Network > Interfaces > Edit

set interface name manage-ip address

2008 Juniper Networks, Inc. All rights reserved.

Network > Interfaces > Edit

set admin manager-ip address [mask]

2008 Juniper Networks, Inc. All rights reserved.

Configuration > Admin > Permitted IPs

Network > DNS

2008 Juniper Networks, Inc. All rights reserved.

IP address of primary NTP server

Update time in seconds

Largest time change in seconds

Configuration > Date & Time

2008 Juniper Networks, Inc. All rights reserved.

2008 Juniper Networks, Inc. All rights reserved.

2008 Juniper Networks, Inc. All rights reserved.

2008 Juniper Networks, Inc. All rights reserved.

Filtering/Sorting/Saving the Event Log

2008 Juniper Networks, Inc. All rights reserved.

Log Entry Severity Levels

2008 Juniper Networks, Inc. All rights reserved.

Configuration > Report Settings > Log Settings

2008 Juniper Networks, Inc. All rights reserved.

2008 Juniper Networks, Inc. All rights reserved.

Setting Alarm Thresholds

set alarm threshold cpu percent

2008 Juniper Networks, Inc. All rights reserved.

External Management Devices

2008 Juniper Networks, Inc. All rights reserved.

Network > DNS > Host

2008 Juniper Networks, Inc. All rights reserved.

IP address of primary NTP server

Update time in seconds

Maximum Largest time change in seconds

Configuration > Date & Time